The Alert
This alert is specifically for members of the SHASS community who use bluetooth headphones with their smartphone and have a high visibility public presence or are involved in research or activism in politically charged arenas which include but are not limited to the Middle East, China, Russia, Venezuela, and Iran.
The What
Please be aware that if you use bluetooth headphones with your smartphone, your smartphone is potentially vulnerable to this attack. If you only use Apple’s earbuds, you are safe. You can stop reading here. If you use any third party bluetooth headphones, keep reading.
For everyone else who uses third party bluetooth headphones from makers including but not limited to Jabra, Sony, Bose, Marshall, and JBL, a debug protocol called RACE by Airoha was left active on your device. This protocol enables bad actors to pretend to be your headphones and hack into your device over Bluetooth.
The How
Attackers must be within 10 meters of you when they initiate this attack via BLE or Bluetooth Classic. That’s it. As long as your phone is on, the attacker will gain access to your device if you had previously paired a vulnerable Bluetooth headphone with your smartphone. They can install malware, spyware, and access your apps and banking if you have those on your phone set to remember passwords. They have full access to your smartphone. When you look at your smartphone it will say your bluetooth headphones are connected.
What to do
1) High Value target individuals are recommended to use WIRED headphones ONLY.
2) For those who want to keep using their bluetooth headphones, firmware updates for the headphones MUST be performed to make them secure. Go to your BT headphone manufacturer’s website and download any updaters. If the manufacturer does not offer them, it is up to you to decide how likely you feel you will be targeted in an attack such as this. You may also do research on your specific model of headphone to see if it uses any Airoha components. If it doesn’t, you MIGHT be safe. Keep in mind not all manufacturers list the makers of components they use.
3) It is highly recommended and advised to unpair any and all old and unpatched BT headphone that is using the Airoha chip set. Airoha itself released a fix to manufacturers on June 4, 2025. If you are not longer using an old set of BT headsets, remove the pairing from your phone.
4) Turn off Bluetooth when not in use
5) Yes, users may also remove any sensitve apps from their phone like banking or purchasing apps to make them less of a target. However keep in mind if a vulnerable BT Headphone is not unpaired from your smartphone, malware and spyware will still likely be installed on your smartphone if you are hacked even if you don’t have anything on your phone that can compromise your finances.
For more information, see the Blog Article “Bluetooth headphones can be used to hack your smartphone” on the MIT shassit website.
That is all. Please let us know if anyone has any questions! As always when it comes to technology, there are no stupid questions.